SSL support and CloudFlare for Lanik.us forums

General forum information, announcements, news, questions and suggestions.

Moderator: EasyList authors

User avatar
Lanik
Site Owner
Site Owner
Posts: 1255
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 13
Location: /dev/null

SSL support and CloudFlare for Lanik.us forums

Post by Lanik » Sun Jan 18, 2015 10:23 pm

All,

I've enabled SSL support for this forum as well as put it up on CloudFlare (http://www.cloudflare.com). If you have any questions please post them in this thread.

Thank you.
"If it ain't broke don't fix it."

User avatar
fanboy
EasyList Author
EasyList Author
Posts: 9661
Joined: Wed Sep 05, 2007 8:17 pm
Reputation: 16

Post by fanboy » Mon Jan 19, 2015 1:30 am

Could use HSTS instead?

User avatar
Lanik
Site Owner
Site Owner
Posts: 1255
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 13
Location: /dev/null

Post by Lanik » Mon Jan 19, 2015 2:26 am

If you mean this then I would have to see if my host and/or CloudFlare support it.
"If it ain't broke don't fix it."

User avatar
fanboy
EasyList Author
EasyList Author
Posts: 9661
Joined: Wed Sep 05, 2007 8:17 pm
Reputation: 16

Post by fanboy » Mon Jan 19, 2015 2:29 am

Cloudflare would support it, it'd query it with your host

https://raymii.org/s/tutorials/HTTP_Str ... httpd.html

harol
Site Member
Site Member
Posts: 13
Joined: Wed Jan 14, 2015 11:01 am
Reputation: 0

Post by harol » Mon Jan 19, 2015 9:08 am

fanboy wrote:Could use HSTS instead?
Here is what I put in .htaccess myself:

Code: Select all

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Later down the track you should also do this https://hstspreload.appspot.com/

Thanks again for enabling HTTPS!

User avatar
Lanik
Site Owner
Site Owner
Posts: 1255
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 13
Location: /dev/null

Post by Lanik » Mon Jan 19, 2015 11:31 am

harol wrote:

Code: Select all

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Thanks I've added that to my .htaccess (I wish I had access to Apache but its a hosted account :( ).

I've also added this to my .htaccess:

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
harol wrote:Thanks again for enabling HTTPS!
You're welcome. We're passing usernames and passwords once people sign up and login and its about time we're doing it through HTTPS, especially this day and age.
"If it ain't broke don't fix it."

intense
Contributor
Contributor
Posts: 5924
Joined: Wed Mar 27, 2013 9:56 am
Reputation: 50

Post by intense » Tue Jan 20, 2015 8:37 am

now ...this forum is not available anymore from chrome on windows XP

A secure connection cannot be established because this site uses an unsupported protocol.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

User avatar
fanboy
EasyList Author
EasyList Author
Posts: 9661
Joined: Wed Sep 05, 2007 8:17 pm
Reputation: 16

Post by fanboy » Tue Jan 20, 2015 8:49 am

Does it apply to Firefox in xp?

User avatar
fanboy
EasyList Author
EasyList Author
Posts: 9661
Joined: Wed Sep 05, 2007 8:17 pm
Reputation: 16

Post by fanboy » Tue Jan 20, 2015 10:55 am

https://www.cloudflare.com/ssl
Universal SSL uses SNI certificates with ECDSA. SNI & ECDSA certs work with the following modern browsers:

Desktop Browsers

Internet Explorer 7 and later
Firefox 2
Opera 8 with TLS 1.1 enabled
Google Chrome:
Supported on Vista and later by default
OS X 10.5.7 in Chrome Version 5.0.342.0 and later
Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later)
I can see why given security around older operating systems, as well as limitations by Chrome on XP.

intense
Contributor
Contributor
Posts: 5924
Joined: Wed Mar 27, 2013 9:56 am
Reputation: 50

Post by intense » Tue Jan 20, 2015 10:58 am

those still with windows XP (still 20% in windows world...) can use only firefox to visit the forum


User avatar
fanboy
EasyList Author
EasyList Author
Posts: 9661
Joined: Wed Sep 05, 2007 8:17 pm
Reputation: 16

Post by fanboy » Tue Jan 20, 2015 11:34 am

Going by stats, XP Web Clients is around 16-5% depending on your measurement http://en.wikipedia.org/wiki/Usage_shar ... ng_systems (and decreasing).
  1. The options could be to disable hsts so it'll allow non-https for older browsers
  2. Ditch the CDN, and just use a cert
  3. Keep the status quo, given the small percentages of XP users. Firefox still an option here
While I'm surprised XP is still running, 14 years of the same OS doesn't seem a good idea given Microsoft isn't supporting it. And come this April Google Chrome won't support XP either.

User avatar
Lanik
Site Owner
Site Owner
Posts: 1255
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 13
Location: /dev/null

Post by Lanik » Tue Jan 20, 2015 6:07 pm

intense wrote:now ...this forum is not available anymore from chrome on windows XP

A secure connection cannot be established because this site uses an unsupported protocol.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Sorry I have no love lost for a 14 year old operating system. If this becomes more of an issue besides one person I may change my mind, but not at this time as a workaround is still available.
"If it ain't broke don't fix it."

User avatar
smed79
Liste AR Author
Liste AR Author
Posts: 10564
Joined: Sun Jan 17, 2010 4:00 am
Reputation: 66
Location: EasyList Forum

Post by smed79 » Sat Jan 24, 2015 2:11 am

intense wrote:now ...this forum is not available anymore from chrome on windows XP
on Windows XP, IE & Chrome can not manage ECDSA certificates > try using firefox or firefox portable edition.

source: https://code.google.com/p/chromium/issu ... ?id=431176
•► Before posting, to find your answer fast, read Forum « RULES » and use « Search »
••► Don't post clickable links » use inline text bbcode notation « [ C ] » or « [ code ] »

midas
Senior Member
Senior Member
Posts: 83
Joined: Mon May 07, 2012 6:59 pm
Reputation: 0

Post by midas » Thu Feb 12, 2015 1:39 am

I ended up here trying to find out why I couldn't access the forum anymore. At first I thought the site was down, until I figured out Chrome was the issue. And now I'm learning that you don't care about users on XP. Thank you, nice to know.

User avatar
fanboy
EasyList Author
EasyList Author
Posts: 9661
Joined: Wed Sep 05, 2007 8:17 pm
Reputation: 16

Post by fanboy » Thu Feb 12, 2015 9:24 am

midas wrote:And now I'm learning that you don't care about users on XP. Thank you, nice to know.
Its not we don't care, XP is an aging OS and the limitation is within Chrome itself. The SSL/CDN upgrade is to benefit 90-95% of the community, over a small minority of users not willing to upgrade their OS.. what needs to give?

Anyways there is always Firefox to get around the issue of Chrome on XP.

arthurtiteica
New Member
New Member
Posts: 1
Joined: Mon Apr 13, 2015 7:01 pm
Reputation: 0

Post by arthurtiteica » Mon Apr 13, 2015 7:11 pm

Cloudfare blocks Tor users by default with an unreadable captcha.

This may be disabled on a per cloudfare account basis.

Please look into it.

And just to get it out because I spent 20 minutes just to get the above message to you:

* lanik.us doens't have a webmaster@ email address.
* the keycaptcha required when registering doesn't work on Firefox 37 Linux. It may very well be some ublock/other addon interference but I did try disabling all for this site.

User avatar
Lanik
Site Owner
Site Owner
Posts: 1255
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 13
Location: /dev/null

Post by Lanik » Thu Apr 16, 2015 7:59 pm

I'll check for Tor settings on CloudFlare.

You're correct I'm not using webmaster@ email. I'm using a different email to keep my mailbox somewhat spam free. PM me and I'll tell you what it is.

Captcha worked for me on Chrome last time I looked.
"If it ain't broke don't fix it."

funkydude
Senior Member
Senior Member
Posts: 69
Joined: Sat Feb 12, 2011 3:46 pm
Reputation: 0

Post by funkydude » Thu Apr 23, 2015 1:03 am

It's not a Windows XP issue, at least not solely, since I'm not using that. There is definitely connection issues that have nothing to do with the browser. I cannot access the website directly anymore, as I posted in the "bumping" thread, but was completely ignored by lanik.

The proxy I was using last time has now also been blocked and I'm having to use a different proxy to access the website, in the exact same browser.

While I could blame this issue on changing to cloudflare, the fact is this issue started happening AFTER that. So I can only assume a setting has been changed that is overly aggressive.

There is no captcha, the connection just times out.

User avatar
Lanik
Site Owner
Site Owner
Posts: 1255
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 13
Location: /dev/null

Post by Lanik » Fri Apr 24, 2015 11:09 pm

Around what time did it start happening?

I haven't made changes to CloudeFlare since I've set it up.
"If it ain't broke don't fix it."

funkydude
Senior Member
Senior Member
Posts: 69
Joined: Sat Feb 12, 2011 3:46 pm
Reputation: 0

Post by funkydude » Sat Apr 25, 2015 12:13 am

Around the end of February/Beginning of March.

funkydude
Senior Member
Senior Member
Posts: 69
Joined: Sat Feb 12, 2011 3:46 pm
Reputation: 0

Post by funkydude » Fri May 01, 2015 5:15 pm

It seems to be getting worse by the day, with most proxy sites reporting an "SSL error" when trying to access the website.

User avatar
Lanik
Site Owner
Site Owner
Posts: 1255
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 13
Location: /dev/null

Post by Lanik » Mon May 04, 2015 11:50 pm

I don't see any proxy settings on CloudFlare. Then again I haven't been using it for long. If someone knows, other then me, knows about any proxy that would be great if they can share. The only thing I'm seeing is firewall logs sorted by IP so I could see what's going by IP if you can provide to me. Honestly I don't think its going to do anything beyond confirming there is a problem which we already know. I think this would be something you need to contact CloudFlare about since I have no control what they block or not.

Alternatively I suggest not using a proxy as its known to cause problems.
"If it ain't broke don't fix it."

funkydude
Senior Member
Senior Member
Posts: 69
Joined: Sat Feb 12, 2011 3:46 pm
Reputation: 0

Post by funkydude » Wed May 06, 2015 2:09 pm

I can't not use a proxy, I can no longer access the site directly... I HAVE to use a proxy just to access it, the site is completely broken. It seems there is some form of geo blocking enabled.

Here is an easy way to reproduce it:
https://hide.me/en/proxy
Select Netherlands
type forums.lanik.us
error

Now select USA
type forums.lanik.us
works fine

User avatar
Lanik
Site Owner
Site Owner
Posts: 1255
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 13
Location: /dev/null

Post by Lanik » Wed May 06, 2015 6:05 pm

funkydude wrote:https://hide.me/en/proxy
That gives me a 404.
"If it ain't broke don't fix it."

funkydude
Senior Member
Senior Member
Posts: 69
Joined: Sat Feb 12, 2011 3:46 pm
Reputation: 0

Post by funkydude » Sat May 09, 2015 11:33 am

Lanik wrote:
funkydude wrote:https://hide.me/en/proxy
That gives me a 404.
Eh? No it doesn't. It's a top search result.

startpage.com
search lanik forums
select view by ixquick proxy
403 forbidden

goto https://www.proxfree.com/
type forums.lanik.us
error

I don't really understand why this is taking so long for you to investigate. Personally I'd rather you revert the whole thing.
Restricting users to a site like this is outright stupid, this isn't some kind of top security banking website, it's a forum.

User avatar
Lanik
Site Owner
Site Owner
Posts: 1255
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 13
Location: /dev/null

Post by Lanik » Mon May 11, 2015 5:14 pm

Same problem ... 404.
funkydude wrote:I don't really understand why this is taking so long for you to investigate. Personally I'd rather you revert the whole thing.
That's not going to happen. I'm not going to revert those changes for 1 or even 2 users.
funkydude wrote:Restricting users to a site like this is outright stupid, this isn't some kind of top security banking website, it's a forum.
This is NOT up for debate. Its take it or leave it simple as that. Unless you're paying my hosting bills this is how it's going to be.
"If it ain't broke don't fix it."

funkydude
Senior Member
Senior Member
Posts: 69
Joined: Sat Feb 12, 2011 3:46 pm
Reputation: 0

Post by funkydude » Tue May 12, 2015 12:50 am

Lanik wrote:Same problem ... 404.
You clearly have proxy websites blocked locally. We're not going to get any further with this until you work that out.
Lanik wrote:That's not going to happen. I'm not going to revert those changes for 1 or even 2 users.
What makes you think this only affects 1 or 2 users? I can't access the website directly, anyone with the same problem would naturally assume the website is down, it just times out. This is clearly a major issue if country specific proxies can't access the website.
Lanik wrote:This is NOT up for debate. Its take it or leave it simple as that. Unless you're paying my hosting bills this is how it's going to be.
That's kind of odd logic there. You're talking about bills in the way someone would reason trying to save money, yet the cloudflare approach is not for those trying to save money...

funkydude
Senior Member
Senior Member
Posts: 69
Joined: Sat Feb 12, 2011 3:46 pm
Reputation: 0

Post by funkydude » Fri Jun 12, 2015 1:37 am

Am I to assume you don't care enough to fix this?

When attempting to access via startpage proxy:
The page you requested could not be retrieved by the StartPage Proxy, as a "403 Forbidden" message was received.
It is possible that the page is not available to anyone. Alternatively, the page may require the use of a certain browser, or cookies, or a password, for access.

User avatar
Lanik
Site Owner
Site Owner
Posts: 1255
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 13
Location: /dev/null

Post by Lanik » Fri Jun 12, 2015 7:07 pm

funkydude wrote:Am I to assume you don't care enough to fix this?
You're right. I don't care to fix a problem one user is having that I can't reproduce.

Obviously if you're posting this you can get to the site.
"If it ain't broke don't fix it."

Locked